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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to communication(s) filed on 09 May 2006 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1 935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) H Claim(s) 1-21 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration 

5) D Claim(s) is/are allowed. 

6) (3 Claim(s) 1-21 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement 

Application Papers 

9) H The specification is objected to by the Examiner. 

10) S The drawing(s) filed on 03 January 2002 is/are: a)(3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-1 52. 

Priority under 35 U.S.C. § 119 

1 2) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 
a)D All b)D Some * c)U None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . Claims 1 - 21 have been presented for examination. Presently, pending claims 
are 1 -21. 

Appeal Brief filed 5/9/2006 has been fully considered and a new ground of 
rejection has been made to withdraw the finality of the rejection. 

Claim Objections 

2. Claim 5 - 6, 12 - 13 and 19-20 are objected to because of the following 
informalities: "one of a computer and a collection of computers" should be "one of a 
computer or a collection of computers". Appropriate correction is required. 

Specification 

3. The disclosure is objected to because of the following informalities: "several 
source computer" should be "several source computers". Appropriate correction is 
required. 
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Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraph of 35 U.S.C. 102 that 
forms the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 1 22(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

4. Claims 1 -4, 8-11 and 15- 18 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Drake et al. (US Patent 6,347,374). 

As per claim 1 , 8 and 15, Drake teaches a method in a data processing system 
for reporting security situations, comprising the steps of: 

logging events by storing event attributes as an event set, wherein each event 
set includes a source attribute, a target attribute and an event category attribute (Drake: 
Column 12 Line 43 - 45 and Column 1 5 Line 60 - 67); 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value (Drake: Column 12 Line 2-4, Column 12 Line 
38-41 and Column 16 Line 1 -8, Column 11 Line 38-50 and Column 14 Line 18- 
21 : Drake teaches aggregating the correlated raw events into event groups with at least 
one attribute within the event set as an identical value such as (a) same user ID, or (b) 
same group type as "authentication failure" to generate an alert of severity situations). 
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calculating severity levels for the groups, wherein a severity level for a group is a 
function of a number of events comprising the group and values of common elements in 
the group (Drake: Column 1 2 Line 29 - 30, Column 1 6 Line 15-18, Column 1 1 Line 38 
-50, Column 16 Line 15- 18 and Column 14 Line 18-21: the "authentication failure" 
is qualified to meet the severity level as an event caused by the failures of a user login). 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value (Drake: Column 1 1 Line 38 - 50 and Column 14 Line 
18 - 21 : the "authentication failure" is qualified to meet the severity level as an event 
caused by the failures of a user login when the aggregating events exceed the 
predetermined number (i.e., threshold = 3) as taught by Drake). 

As per claim 2, 9 and 16, Drake teaches the severity levels are calculated based 
on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets 
within each of the groups, and the event category attribute of the event sets within each 
of the groups (Drake: Column 11 Line 38-50 and Column 14 Line 18-21: Drake 
teaches aggregating the correlated raw events into event groups with at least one 
attribute within the event set as an identical value such as (a) same user ID, or (b) same 
group type as "authentication failure" to generate an alert of severity situations). 

As per claim 3, 10 and 17, Drake teaches the events include at least one of a 
web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a 
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network event, an authentication failure, and an access violation (Drake: Column 14 
Line 18-21: authentication failures). 

As per claim 4, 1 1 and 18, Drake teaches calculating the threshold value based 
on at least one of the source attribute of the event sets within the group, the target 
attribute of the event sets within the group, the event category attribute in each event 
set of the group, and the number of attributes in each event set of the group that are 
held constant across all of the event sets in the group (Drake: Column 16 Line 13-18 
and Column 14 Line 18-21). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 5 -7, 12 -14 and 19-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over in view of Drake et al. (US Patent 6,347,374), in view of Burrows et 
al. (US Patent 2002/0073338). 
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As per claim 7, 14 and 21, Drake does not disclose expressly aggregating a 
subset of the groups into a combined group. 

Burrows teaches aggregating a subset of the groups into a combined group 
(Burrows: Para [0050] and Para [0046] Line 10-11: similar to the Figure 8 / Element 
804/806/802 of the instant application, the single source computer that causes 
broadcast storms to any of the unspecified destination computers, as taught by 
Burrows, does indeed generate a combined group of events. Likewise, it applies to the 
similar situation of denial-of-service attacks). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Burrows within the system of Drake 
because (a) Drake teaches improving network security by providing an effective event 
detecting systems (Drake, see example, Column 2 Line 4-8 and Column 3 Line 34 - 
35]) and (b) Burrows teaches managing and tracking computer security incidents that 
may occur in a network computer system by effectively detecting any types of behavior 
and undesirable patterns of packet traffic (Burrows: Para [0019]). 

As per claim 5, 12 and 19, Drake does not disclose expressly the target attribute 
represents one of a computer and a collection of computers. 

Burrows teaches the target attribute represents one of a computer and a 
collection of computers (Burrows: Para [0050] and Para [0046] Line 1 0 - 1 1 : the target 
attribute could be the single server computer that causes denial-of-service or a 
collection of computers such as broadcast storms). 
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Same rationale of combination applies herein as above in rejecting the claim 7. 

As per claim 6, 13 and 20, Drake does not disclose expressly the source attribute 
represents one of a computer and a collection of computers. 

Burrows teaches the source attribute represents one of a computer and a 
collection of computers (Burrows: Para [0050] and Para [0046] Line 10 - 1 1 : the source 
attribute could be the single source computer that causes broadcast storms to any of 
the unspecified destination computers or as a collection of computers such as denial-of- 
service attacks). 

Same rationale of combination applies herein as above in rejecting the claim 7. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788. 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Longbit Chai 
Examiner 
Art Unit 21 31 
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